= CZ3 PTO/SB/05 (1/98) 

= please type a plus sign (+) inside this box -» fTl Approved for use through 09/30/2000. OIVg0651^ffi ■ 

iS^T Patent and Trademark Office US. DEPARTMENT OFPOMM^S 
= Under the Paperwork Reduction Act of 1995, no persons are requireajojgsjxgidj^ 



UTILITY 
PATENT APPLICATION 
TRANSMITTAL 

{Only for new nonprovisional applications under 37 CFR 1. 53(b))_ 



Attorney Docket No. \ 543-98-015 




c 


First Inventor or Application Identifier \ Doerenberg 






Title | Fault Tolerant Data Communication Network 






Express Mail Label No. I EL447184665US 







APPLICATION ELEMENTS 

See MPEP chapter 600 concerning utility patent application contents. 



Assistant Commissioner for Patents 
ADDRESS TO: Box Patent Application 
Washington, DC 20231 



m 

pendency of this application to Deposit Account No. 

X Specification [Total Pages 

' ' (preferred arrangement set forth below) 



Please charge the fees indicated on the attached fee transmittal and 
credit overpayments or charge any and all fees due throughout the 
01-1113. 



- Descriptive title of the Invention 

- Cross References to Related Applications 

- Statement Regarding Fed sponsored R&D 

- Reference to Microfiche Appendix 

- Background of the Invention 

- Brief Summary of the invention 

- Brief Description of the Drawings (if filed) 

- Detailed Description 

- Claim(s) 
-Abstract of the Disclosure 

3. | x | Drawing(s) (35 U.S.C. 113) [Total Sheets 



6. | | Microfiche Computer Program (Appendix) 

7. Nucleotide and/or Amino Acid Sequence Submission 
(if applicable, all necessary) 

Computer Readable Copy 

Paper Copy (identical to computer copy) 

Statement verifying identity of above copies 



Oath or Declaration [Total Pages 

I Newly executed (original or copy) 



□ Copy from a prior application (37 C.F.R. § 1 .63(d)) 
(for continuation/divisional with Box 17 completed) 
[Note Box 5 below] 
DELETION OF INVENTOR(S) 

Signed statement attached deleting 
inventor(s) named in the prior application, 

□ see 37 C.F.R. §§ 1 .63(d)(2) and 1.33(b). 
Incorporation By Reference (useable if Box 4b is checked) 
The entire disclosure of the prior application, from which a copy 
of the oath or declaration is supplied under Box 4b, is 
considered to be part of the disclosure of the accompanying 
application and is hereby incorporated by reference therein. 



□ 



ACCOMPANYING APPLICATION PARTS 



Assignment Papers (cover sheet & document(s)) 
37 C.F.R.§3.73(b) Statement 



(when there is an assignee) 

□ 



Power of Attorney 



English Translation Document (if applicable) 
Information Disclosure I I Copies of IDS 
Statement (lDS)/PTO-1 449 | | Citations 

Preliminary Amendment 

Return Receipt Postcard (MPEP 503) 
(Should be specifically itemized) 

□ * Smal1 En * il y I 1 Statement filed in prior application, 
Statement(s) 
(PTO/SB/09-12) 1 1 

□ Certified Copy of Priority Document(s) 
(if foreign priority is claimed) 



| Status still proper and desired 



17. If a CONTINUING APPLICATION, check appropriate box, and supply the requisite information below and in a preliminary 
I x [continuation Q Divisional Q Continuation-in-part (CIP) of prior application No: 60/113.787_ 
^Hor application information: Examiner ^Group/MUnit^ 



18. CORRESPONDENCE ADDRESS 



CH Customer Number or Bar Code Label 



(Insert Customer No. oi ]^achjbar^eja^lh&r») mm 



Correspondence address below 



e C. Suchodolski 



AlliedSignal, Inc. 



101 Columbia Road, P. O. Box 2245 



Name (PnnVType) 


Jeanne C. Suchodolski 


| Registration No. (Attorney/Agent) 


34,936 


Signature 




-= — -= | Dafe 


/Z/z/99- 



Burden Hour Statement This form is estimated to take 0.2 hi , - ~ , —<- -.- - . ; 

the amount of time you are requirea to complete this form should be sent to the Chief Information Officer, Patent and Trademark Office, Washington, DC 20231. 
DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS. SEND TO: Assistant Commissioner for Patents, 
Box Patent Application, Washington, DC 20231. 



Patent Application 

Attorney Docket No.: 543-98-015 



Express Mail Label No. EL447184665US 



PATENT APPLICATION 
" FAULT TOLERANT DATA COMMUNICATION NETWORK " 



Inventor(s): 

Frank M.G. Doerenberg 
23527 NE 22 nd Street 
Redmond, WA 98053-4415 

Michael Topic 

9301 Avondale Road NE 

Redmond, WA 98052 



Assignee: 

Allied Signal, Inc. 
Morristown, N.J. 



Entity: 



Large 



Patent Application 
Attorney Docket No.: 543-98-015 



FAULT TOLERANT DATA COMMUNICATION NETWORK 

This application claims the benefit of U.S. Provisional Application Serial No. 
60/1 13,787, filed in the names of Frank M.G. Doerenberg and Michael Topic on December 

5 22, 1998, the complete disclosure of which is incorporated herein by reference. 

This application is related to U.S. application Serial No. 09/009,463 (Attorney 
Docket No. 543-97-001), filed in the names of Frank M.G. Doerenberg and James 
McElroy on January 20, 1998, which is a Continuation of U.S. Provisional Application 
Serial No. 60/035,856 filed January 21, 1997, and U.S. application Serial No. (Attorney 

1 0 Docket No. 543-98-0 1 3), filed in the names of Frank M.G. Doerenberg and Michael Topic 
on the same date herewith, which is a Continuation of U.S. Application Serial No. 
09/009,463, the complete disclosures of which are incorporated herein by reference. 

FIELD OF THE INVENTION 

1 5 This invention relates to fault tolerant data bus architectures and more particularly 

to use of such architectures in safety critical avionics. 

BACKGROUND OF THE INVENTION 

It is generally recognized that there is a need to employ digital computers in 
20 applications in which improper operation could have severe consequences. For example, a 
sophisticated flight hazard warning system has been developed for aircraft which utilizes a 
number of independent warning systems including a ground proximity warning system, a 
wind shear detection system and a collision avoidance system. This particular system is 
generally described in U.S. Patent Application Serial Number 08/847,328, filed April 23, 
25 1997 and entitled: "Integrated Hazard Avoidance System", and is incorporated herein by 
reference. In the preferred embodiment described therein, a central computer, which may 
include multiple processors for redundancy, receives via various input/output (I/O) 
modules various types of flight data useful for anticipating and warning of hazardous flight 
conditions. Such information may include but is not limited to: barometric altitude, radio 
30 altitude, roll and pitch, airspeed, flap setting, gear position, and navigation data. This 
information is communicated to the central computer via a data bus. 



s:\law_file\dockets\Utility App - Topolgy 1 



Patent Application 
Attorney Docket No.: 543-98-015 



For such an integrated warning system to provide warnings with a high degree of 
integrity, the data operated upon and instructions issued by the central computer must be 
accurate. A bus architecture to transfer data between each of the I/O modules in an orderly 
manner must therefore exist. Data placed on the bus must also be accurate and without 

5 error. Also, it is important to ensure, to the extent possible, that the individual systems 
execute the warning programs correctly. 

There have been various approaches to solving these problems. For example such a 
system is described in ARTNC Specification 659 entitled Backplane Data Bus published on 
December 27, 1993 by Aeronautical Radio, Inc. In this system the bus includes four data 

1 0 lines and has a pair of Bus Interface Units ("BIU") for each processor or node on the data 
system where each BIU is connected to two data lines in the bus. Data is transferred 
according to a time schedule contained in a table memory associated with each BIU. The 
tables define the length of time windows on the bus and contain the source and destination 
addresses in the processor memory for each message transmitted on the bus. These types of 

15 systems also use for some applications two processors that operate in a lock-step 
arrangement with additional logic provided to cross-compare the activity of the two 
processors. The two processors, each with its own memory, execute identical copies of a 
software application in exact synchrony. This approach usually requires that the two 
processors must be driven by clock signals that are synchronized. 

20 Although such systems have high data integrity and provide for fault tolerant 

operation, they have a number of disadvantages. For example the use of tables having data 
source and destination addresses for each application program in the processor memory 
makes it difficult to reprogram the system for new applications because each table in the 
system must be reprogrammed. In addition, the use of two processor operating in lock-step 

25 reduces the flexibility of the system since it is not possible to run two different programs 
on the processors at the same time. 

Application Serial No. 09/009,463 discloses a fault tolerant bus architecture and 
protocol for use in an Integrated Hazard Avoidance System of the type generally described 
therein as well as other applications, aviation and otherwise, wherein data is to be handled 

30 with a high degree of integrity and in a fault tolerant manner. The system is partitioned into 
modules and an inter-module backplane data bus is shared between the modules to transfer 
data between the modules. The modules themselves may host multiple application 
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functions that also share the backplane bus. The backplane bus is fault tolerant, multi-drop, 
time-multiplexed broadcast bus in which serial data is preferably transferred in a semi- 
duplex manner. Each module, or fault containment node, includes a single source 
microprocessor that executes instructions to place data onto the bus. Bus interface 

5 controllers, each with an independently driven clock, compare the retrieved data. If the 
interface controllers are in agreement, the data is placed on the bus. 

According to co-pending application Serial No. 09/009,463, the data is preferably 
placed on the bus using a data bus protocol that allocates to each node a predetermined 
number of slots in which to transmit. Each module contains a time table memory 

1 0 associated with each bus interface controller that stores the bus protocol information to 
enable the node to place data in a predetermined channel on the bus at the appropriate time 
period. A space table associated with each bus interface controller indicates the address 
space in a processor memory from which the data is to be transferred to the bus. 

Co-pending application Serial No. (Attorney Docket No. 543-98-013) provides an 

1 5 improvement over the disclosure of application Serial No. 09/009 having a simplified time 
deterministic bus traffic protocol that is independent of the communication protocol and 
the number of sub-busses. 

Although such systems have high data integrity and provide for fault tolerant 
operation, alternative bus topology can enhance the data integrity and fault tolerant 

20 operation of such systems. 

SUMMARY OF THE INVENTION 

The present invention provides a fault tolerant bus architecture and protocol for use 
in an Integrated Hazard Avoidance System of the type generally described above. In 

25 addition, the present invention may also be used in applications, aviation and otherwise, 
wherein data is to be handled with a high degree of integrity and in a fault tolerant manner. 
Such applications may include for example, the banking industry or other safety critical 
processing functions, including but not limited to environmental control. 

In the present invention as applied to an integrated flight hazard avoidance system, 

30 the system is partitioned into modules. An inter-module backplane data bus is shared 

between the modules to transfer data between the modules. The backplane bus according to 
the present invention is fault tolerant, multi-drop, time-multiplexed broadcast bus. The 
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inter-module backplane bus includes multiple independent data lines grouped into multiple 
data communication networks. In a preferred embodiment, the inter-module backplane bus 
includes four independent data lines divided into two data communication networks each 
having two data lines. Each module is provided with reception privileges on one or more of 

5 the data lines of each data communication network. In a preferred embodiment, each 
module is provided with reception privileges on all of the data lines of each data 
communication network, while restricted to transmission privileges on less than all of the 
data lines of each data communication network. For example, in a backplane bus having 
dual data communication networks, each including dual independent data lines, each 

1 0 module has transmission privileges on only one of each data line of each data 

communication network, while enjoying reception privileges on both data lines of both 
data communication networks. Alternatively, according to another embodiment of the 
invention, each module has transmission privileges on only one of each data line of each 
data communication network, while reception privileges are restricted to the other of the 

15 two data lines of each data communication network. The modules themselves may host 
multiple application functions that also share the backplane bus. In a preferred embodiment 
of the invention, serial data is transferred in a semi-duplex manner. 

BRIEF DESCRIPTION OF THE DRAWINGS 

20 The foregoing aspects and many of the attendant advantages of this invention will 

become more readily appreciated as the same becomes better understood by reference to 
the following detailed description, when taken in conjunction with the accompanying 
drawings, wherein: 

Fig. 1 is a block diagram of an integrated hazard avoidance system illustrating an 
25 application of a data bus system according to the invention; 

Fig. 2 is a block diagram of a node of a data bus system utilizing a single processor 
and a pair of bus interface controllers according to co-pending application Serial No. 
09/009,463; 

Fig. 3 A illustrates an example of an alternative backplane bus architecture 
30 including a processing node of the data bus system according to co-pending application 
Serial No. (Attorney Docket No. 543-98-013), wherein the processing node includes a 
processor capable of hosting multiple application functions and a backplane bus interface; 
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Fig. 3B is a block diagram of a node of the data bus system utilizing two processors 
and two arbitration circuits according to co-pending application Serial No. (Attorney 
Docket No. 543-98-013); 

Fig. 4A illustrates an example of an alternative backplane bus architecture 
5 according to the invention, including two resource enclosures, wherein processing nodes in 
contained in each resource enclosure have full reception privileges on all sub-busses of 
each data communication network but are restricted to transmitting on less than all of the 
sub-busses; 

Fig. 4B illustrates an example of the backplane bus architecture illustrated in Fig. 

1 0 4A applied to an integrated hazard avoidance system; 

Fig. 5 illustrates the flexibility of the fault tolerant backplane bus architecture of the 
invention disclosed in Figs. 4A and 4B, wherein the network topology backplane bus 
architecture of Fig. 4 is combined with one or more stand-alone line replaceable unit or 
LRU, each including one or more function modules; 

1 5 Fig. 6 illustrates an alternative embodiment of the invention having a triad 

configuration, wherein three or more individual data communications networks, each 
including multiple individual isolated sub-busses, are arranged such that processing nodes 
contained in each of three or more resource enclosures are interconnected with processing 
nodes contained in each of two or more other resource enclosures; 

20 Fig. 7A illustrates an example of a federated topology backplane bus architecture of 

the invention, including two, three or more processing nodes formed as line replaceable 
units. 

Fig. 7B illustrates one embodiment of the invention using federated topology 
backplane bus architecture applied to an integrated hazard avoidance system; and 
25 Fig. 8 illustrates the alternative embodiment of the invention applied to multiple 

redundant aircraft system busses. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT 

In the Figures, like numerals indicate like elements. 
30 Fig. 1 details in block diagram form an integrated hazard avoidance system (IHAS) 

1 0 for aircraft to illustrate a system in which the data bus system of the present invention 
can be incorporated. Because the IHAS 10 includes a number of microprocessor based 

s:\law_file\dockets\Utility App - Topolgy 5 



Patent Application 
Attorney Docket No.: 543-98-015 



systems as well as receiving data from other systems, it is desirable that data be transmitted 
with a high degree of integrity between the various components of the system. Included in 
the IHAS 10 is a conventional traffic alert and collision avoidance system (TCAS) 12 
which is connected to a pair of directional antennae 14 and 16. A central computer 18 is 
5 connected to TCAS 10 and to I/O module 20. Central computer 18, which can include 
multiple processors for redundancy, performs the hazard detecting and alerting functions as 
described in provisional application 60/016,277 incorporated herein by reference. Flight 
data as indicated generally by block 26 are input to the central computer 10 via I/O module 
20. 

10 Central computer 1 8 uses conventional programs for generating the basic ground 

proximity warnings (GPWS) including enhanced ground proximity warnings (EGPWS), 
windshear warnings including predictive and reactive windshear alerts, and TCAS alerts. 
Descriptions of suitable GPWS systems are provided in US Patent Nos. 4, 567,483, 
5,220,322; 4,433,323; 5,187,478 and 4,684,948 all of which are hereby incorporated by 
1 5 reference. Descriptions of suitable EGPWS systems are provided in Patent Application 
Serial numbers 08/509,660 and 08/509,702 which are hereby incorporated by reference. 
Suitable windshear systems are described in US Patent Nos. 4,905,000; 5,059,964, 
4,725,81 1; 4,947,164; 5,153,588 and 4,891,642 and are hereby incorporated by reference. 
Suitable commercially available TCAS systems and associated hardware are described in 
20 US Patent Nos. 5,122808; 5,272,725; 4,914,733; 5,008,844 and 4,855,748 and in published 
documents: "Pilot's Guide TCAS II CAS 67/A81 A Bendix/King Traffic Alert and 
Collision Avoidance Systems" and "Pilot's Guide CAS 66A Bendix/King TCAS I 
Collision Avoidance System" and are hereby all incorporated by reference. 

The IHAS 10 of Figs. 1 may host applications of any criticality level form non- 
25 essential to flight critical. The system architecture allows new applications to be added 
through software changes, without requiring additional hardware, by employing central 
processors along with common power and I/O interfaces. The IHAS system is not merely a 
collection of individual functions packaged in a single unit. IHAS is a complete system 
design with hardware processing modules, such as I/O modules, processor units and a dual 
30 power supply. A current exception to this philosophy are the TCAS/Mode S RF module, 
and the Radar RF module. The reason for these exceptions is that the highly specialized 
functions are more optimally included in other than the general processing hardware. 



s:\law_file\dockets\Utility App - Topolgy 6 



Patent Application 
Attorney Docket No.. 543-98-015 



One possible set of functions for IHAS includes: 

Weather Radar with Predictive Windshear Detection 

Ground Proximity Warning with Reactive Windshear Detection 

Traffic Alert and Collision Avoidance System 
5 Mode Select Transponder 

Flight Data Acquisition Unit and Data Management System 
Other functions and combinations of functions can also be included in the IHAS 10. The 
IHAS design provides an open architecture environment that allows functions and 
components to be developed by the aircraft manufacturer, airline or other vendors. 
10 By centralizing the crew alerting functions of the hazard warning systems included 

in the IHAS 10, the IHAS 10 can eliminate conflicting and redundant crew messages and 
provide optimal message prioritization. The present invention, permits the exchange of 
data from each of the modules of IHAS in a manner that ensures data integrity as well as in 
a fault tolerant manner. The data bus architecture of the present invention thus permits an 
1 5 integrated hazard warning device for aviation to operate with robustness and integrity of 
data processing and with the obvious safety benefits thereof. False or inaccurate warnings 
are thereby reduced or eliminated and the likelihood that a warning will fail to be given is 
also reduced or eliminated. Furthermore, as discussed in detail below, the present invention 
also provides for application specific levels of robustness and fault tolerance depending 
20 upon user preference or the safety criticality of the associated application. 

Although a preferred embodiment of the present invention is described in 
connection with the IHAS application shown in Fig. 1, it is to be understood that the 
present invention is applicable to any application where fault tolerant and robust data 
processing bus architectures are desirable. 

25 Basic Architecture 

Fig. 2 illustrates an example of a basic backplane bus architecture as disclosed in 
above incorporated U.S. application Serial No. 09/009,463. The basic backplane bus 
architecture includes a node 100 containing a single processor 102, such as a 
microprocessor, of the data bus system according to the invention. The backplane bus 

30 architecture provides a high-integrity, time-multiplexed data bus for the purpose of 

transferring digital data between nodes within the same system enclosure. The processing 
node 100 consists of the processing entity 102 that can host multiple application functions, 
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including input/output functions, if the node is an I/O module for example, and a backplane 
bus interface 104. Node 100 is connected to a set of four bus signal lines, Ax, Bx, Ay and 
By indicated by a reference numeral 106. In the preferred embodiment, there is no 
centralized control of the bus. The bus interface 104 includes the following major 
5 components: a pair of Bus Interface Controllers ("BICs") 108 and 1 10; independent clock 
oscillators 130 and 132; a pair of independent table memories 1 12 and 1 14; backplane 
transceivers; and physical-ID ports. In a preferred embodiment disclosed in above 
incorporated application Serial No. 09/009,463, bus 106 has four transmission lines in a 
dual-dual configuration. Each node 100 contains two BICs 108 and 1 10. The purpose of 
10 BICs 108 and 1 10 is to manage all data transfers between bus 106 and a memory 120 
associated with host processor 102. They format data-to-be-transmitted into messages, and 
transmit them onto bus 106 during uniquely designated time slots. BICs 108 and 1 10 
independently determine if such a time slot is coming up, and cross-enable each other's 
bus line drivers using a pair of enable lines 116 and 118 accordingly. In addition, BICs 108 
1 5 and 110 perform decoding, cross-checking and fault detection on received data. Each BIC- 
pairs 108 and 110 also synchronizes to BIC-pairs in other nodes. 

Figs. 3A and 3B illustrate examples of an alternative backplane bus architecture as 
disclosed in above incorporated U.S. application Serial No. (Attorney Docket No. 543-98- 
013). According to the alternative backplane bus architecture, processing nodes are 
20 grouped into multiple physically isolated resource enclosures, one or more processing 
nodes per enclosure. The processing node is connected to a set of four bus signal lines, Ax, 
Bx, Ay and By, as indicated by reference numeral 106 in Figure 3 A. Bus 106 has four 
transmission lines in a dual-dual configuration. Each node includes a microprocessor 
having transmission privileges on one or more of the data lines of the bus 106 during 
25 uniquely designated time slots. In preferred embodiments of the invention, each node 

contains the two arbitration circuits that manage all data transfers between the bus 106 and 
a memory associated with the host processor. The two arbitration circuits independently 
determine if such a time slot is coming up, and cross-enable each other's bus line drivers 
accordingly. In other words, transmission only occurs if both arbitration circuits of a 
30 arbitrator-pair agree. Each arbitration circuit-pair also synchronizes to circuit-pairs in each 
of the other nodes having transmit privileges on the same bus. 
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Time allocation on the individual networks, commonly referred to as time 
partitioning, is administered by network arbitration circuits, or arbitrators, within each 
processing node. The network arbitrator functions in both single and dual processing lane 
architectures. Fig. 3 A illustrates the network arbitrator in a node having a single processor 
5 interface, while Fig. 3B illustrates the network arbitrator in a node having a dual processor 
interface. In Fig. 3 A, a node 150 having a single processor interface includes two network 
arbitrators 152 interfaced to a single processor 154 capable of hosting multiple application 
functions. Processing node 150 includes an Ethernet® phase lock loop (PLL) circuit 156; 
two backplane receivers 158a and 158b; and two backplane transceivers 160a and 160b. 
10 As disclosed in above incorporated U.S. application Serial No. (Attorney Docket 

No. 543-98-013), arbitrators 152 provide synchronization and cross-enabling functionality. 
Arbitrators 152 act analogously to a switch for opening access between processor 154 and 
the data lines during the time period when node 150 is permitted to transmit. Arbitrators 
152 open access to the data lines by enabling transceiver 160 and informing processor 154 
1 5 that the access is open. Arbitrators 1 52 regulate the opening and closing of the access 
between processor 1 54 and the data lines by synchronizing both with counter-part 
arbitrator 152a or 152b internal to node 150 and with other nodes 150, according to clock 
oscillator 162 and an independent table memory 164. Each of arbitrator 152a and 152b 
signals associated processor 154 when access is open. Thus, arbitrators 152 manage all 
20 data transfers between the bus lines and an application memory portion of host processor 
154. 

Fault Tolerant Data Communication Network 

According to the invention, processing nodes are grouped into multiple physically 
isolated resource enclosures, one or more processing nodes per enclosure. An alternative 

25 backplane bus architecture includes multiple independent data communication networks or 
local area networks (LANs), each having two or more data communication lines. Each 
processing node transmits on all the sub-busses of one communication network, 
simultaneously broadcasting identical data on each data line. Each data communication 
network is extended in its entirety from the processing node or nodes in each resource 

30 enclosure to the processing node or nodes in each other resource enclosure. Broadcasting 
privileges for different ones of the data communication networks are dedicated to the 
processing nodes in one enclosure. The data communication network used for broadcasting 
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by the processing nodes in one enclosure are monitored in a receive-only mode by the 
processing nodes in each other enclosure. Data transmissions are thereby received by all 
processing nodes in all enclosures. Furthermore, the individual data communication 
networks are isolated from one another so that transmission synchronization between the 

5 processing nodes of different enclosures is not needed. 

According to preferred embodiments of the invention, each individual network, or 
data line, of each data communication network includes a single data bus on which data is 
transferred in serial fashion, using standard protocol for serial communication. 
Alternatively, data is transferred in parallel fashion. Thus, the preferred minimization of 

10 the number of physical connections associated with the networks is satisfied. Data 
communication networks are preferably formed as high speed data communication 
networks capable of supporting any local area network (LAN) protocol, including 
Ethernet®, lOBase-T, and fast Ethernet or 100Base-T. Alternatively, data communication 
networks support fiber optic Ethernet variations that allow the network's capabilities to be 

1 5 expanded to greater physical distances. 

Network Topology 

The network topology backplane bus architecture of the invention includes multiple 
processing nodes sharing multiple independent data communication networks, each 

20 independent data communication network or bus including multiple independent data lines. 
Each processing node has both transmit and receive privileges on a subset of the data lines 
of each of multiple independent data communication networks, but is restricted to receive 
only privileges on a second subset of the data lines. Each processing node receives data 
transmissions broadcast by other processing nodes on the second subset of the data lines. 

25 The processing nodes use their transmit and receive privileges on the first subset of data 
lines for all of: local communication within the processing node, broadcasting 
transmissions to other processing nodes, and receiving data transmissions from other 
processing nodes. Use of the first subset of data lines is time-shared by all of the 
processing nodes having transmission privileges in synchronization with the other 

30 processing nodes also having transmission privileges on the first subset of data lines. The 
processing nodes enjoying transmit and receive privileges on the first subset of data lines 
are preferably co-located in a first resource enclosure or cabinet. Preferably, one or more 
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processing functions, for example, flight critical functions, are duplicated in additional 
processing nodes located in a second physically isolated resource enclosure or cabinet. 
Each of the data communication networks is extended to the additional processing nodes in 
the second enclosure. The processing nodes in the second enclosure are connected to each 
5 of the first and second data communication networks but are restricted to receiving 
transmissions from the first subset of data lines while they each enjoy both receive and 
transmit privileges on the second subset of data lines. 

The processing nodes in the first enclosure continue to function and communicate 
with one another using the first network if an "active/on" failure in the other enclosure 

1 0 prevents data transfer on the second network. Similarly, the processing nodes in the second 
enclosure continue to function and communicate with one another using the second subset 
of data lines if an "active/on" failure in the first enclosure prevents data transfer on the 
subset of data lines. Thus, the processing nodes in either enclosure can continue to function 
and communicate with one another on one network if an "active/on" failure in the other 

1 5 enclosure prevents data transfer on the other network. Data transfer on any network or 
subset of data lines is unaffected if any processing nodes fail in a "passive/off ' mode, thus 
still active processing nodes continue to communicate on each of the data communication 
networks. 

Fig. 4A illustrates an example of a network topology backplane bus architecture 
20 including two or more resource enclosures or cabinets 200 1, 200 2 through 200n (not 
shown). Resource enclosures 200 each include one, two, or more modules, 210', 210" 
through 210 N , each module hosting one or multiple application functions and sharing the 
backplane bus 212. In Fig. 4 A, multiple modules 210' through 210" are preferably divided 
into two groups physically isolated in resource enclosures 200 1 and 2OO2. For example, 
25 three or more modules 2 1 0i ' , 2 1 0i" through 2 1 0i N are installed in one resource enclosures 
200 1 and another three or more modules 2102', 2IO2" through 2102 N are installed in another 
physically isolated resource enclosure 200 2 . Within each resource enclosure 200 modules 
210' through 210" intercommunicate via fault tolerant data bus 212 of the invention. The 
two groups of modules 210i' through 210i N and modules 2IO2' through 210 2 N also 
30 intercommunicate via fault tolerant data bus 2 1 2 of the invention. 

The network topology backplane bus 212 of the invention includes multiple sets of 
independent data communication networks. Each module 210 broadcasts to all other 
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modules 210 in each enclosure 200 and receives input from all other modules 210 in its 
own and other enclosures 200, but modules 210 within each enclosure 200 transmit or 
broadcast on a different independent data communication network. In the preferred 
embodiment shown in Fig. 4A, the network topology backplane bus 212 preferably 

5 includes two sets "A" and "B" of two multi-transmitter/multi-receiver data sub-busses "x" 
and "y" forming four transmitter/receiver sub-busses Ax, Ay, Bx, By. Each group of 
modules 210 are permitted to transmit on only two of the four data lines. For example, 
modules 21 Of through 210i N of resource enclosure 200 1 are permitted to transmit on the 
two "x" data lines Ax, Bx, while modules 2IO2' through 21 02 N of resource enclosure 2OO2 

10 are permitted to transmit on the two "y" data lines Ay, By. Each of modules 21 Of through 
210i N and modules 2IO2' through 2102 N are permitted to receive on all four 
transmitter/receiver data lines Ax, Bx, Ay, By. Modules 210 that are connected to a data 
communication network in a passive "receive only," or monitoring, mode cannot interfere 
with data traffic on the network. Thus, modules 210i communicate with other modules 

15 2 1 0i locally within first enclosure 200 1 via "x" sub-buses Ax, Bx of first and second data 
communication networks A, B, respectively, and transmit data to remote modules 2IO2 
within second enclosure 2OO2 via "y" sub-buses Ay, By of first and second data 
communication networks A, B, respectively. Similarly, modules 210 2 communicate with 
other modules 2IO2 locally within second enclosure 2OO2 via "y" sub-buses Ay, By of first 

20 and second data communication networks A, B, respectively, and transmit data to remote 
modules 21 0i within first enclosure 200 1 via "x" sub-buses Ax, Bx of first and second data 
communication networks A, B, respectively. 

Fig. 4B illustrates one embodiment of the invention incorporating the 
microprocessor based systems of the aircraft IHAS 10 system, shown in Fig. 1 . In Fig. 4B, 

25 IHAS 220 system module may host applications of any criticality level from non-essential 
to flight critical. As described above, the central computer 18 (shown in Fig. 1) of the 
IHAS 220 system uses conventional programs for generating the basic ground proximity 
warnings (GPWS) including enhanced ground proximity warnings (EGPWS), windshear 
warnings including predictive and reactive windshear alerts, and TCAS alerts, other 

30 surveillance functions may also be included. In Fig. 4B, IHAS 220 module is configured as 
a line replaceable unit, or LRU, having access through one or more I/O modules 222 to and 
from other aircraft systems, including, for example, central computer 18. Aircraft power is 
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supplied via a power supply module 224 to a power bus 226 accessible by all the 
processing functions. The processing functions include, for example, radar processing 228, 
TCAS/ATC processing 230, GPWS or EGPWS processing 232 as well as other 
surveillance functions 234. Radar processing 228 preferably has direct access to radar 

5 antenna inputs while TCAS/ATC processing 230 has direct access to transponder signals. 
IHAS LRU 220 module includes a fault tolerant network topology backplane bus 212 of 
the invention that includes multiple sets of independent data communication networks. 
Each processing unit 228, 230, 232, 234 has both transmit and receive privileges on each 
of two data lines included in a first data communication network and monitors 

1 0 transmissions on a second pair of data lines forming a second data communication 
network. 

One preferred embodiment of the present invention provides additional processing 
redundancy by providing that the two pairs of individual data communication networks are 
used for data communication within and between two redundant sets of processing nodes 

15 in different physically isolated enclosures. In Fig. 4B, network topology backplane bus 212 
extends from the single IHAS LRU 220 module shown to a second redundant IHAS LRU 
220' module having the same functional processing capabilities. Thus, radar processing 
228, TCAS/ATC processing 230, GPWS or EGPWS processing 232 and other surveillance 
functions 234 are repeated in second IHAS LRU 220' module. Similar processing nodes 

20 included in second IHAS LRU 220' module have both transmit and receive privileges on 
each of two data lines included in the second data communication network and monitors 
transmissions on the pair of data lines forming the first data communication network. 

Flexible Topology 

25 Fig. 5 illustrates the flexibility of the fault tolerant backplane bus architecture of the 

invention disclosed in Figs. 4A and 4B. In Fig. 5, the network topology backplane bus 
architecture of Fig. 4 is combined with one or more stand-alone line replaceable units or 
LRU, each including one or more function modules 300 1 through 300 N . Modules 
300 1 through 300 N may host multiple application functions that also share the backplane 

30 bus. In Fig. 5 two independent and isolated data communication networks "A" and "B" 
having data lines Ax, Ay and Bx, By, respectively, are shared by a first quantity of 
modules 300 1 through 300 N co-located in a resource enclosure 302. Modules 300 1 through 
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300 N enjoy both transmission and reception privileges on "x" data lines Ax and Bx of data 
communication networks A, B, respectively. Modules 300 1 through 300 N each use "x" data 
lines for all of: local communication within the processing node, broadcasting 
transmissions to other processing nodes, and receiving data transmissions from other 

5 processing nodes. Modules 300 1 through 300 N are restricted to receive only privileges on 
"y" data lines Ay, By of data communication network A, B, respectively. Each data 
communication network A and B is extended to interconnect with one or more remotely 
located line replaceable units or LRU 304 including, for example, processor 306 and I/O 
module 308 for exchanges with other aircraft systems. Optionally, LRU 304 is either an 

1 0 additional processing function or a redundant flight critical processing function also 
included in enclosure 302 as one of modules 300 1 through 300 N . 

LRU 304 receives transmissions from modules 300 1 through 300 n in enclosure 302 
on "x" data lines Ax and Bx and transmit data to modules 300 1 through 300 N on "y" data 
lines Ay, By. As described above, LRU 304 is restricted to receive only privileges on "x" 

15 data lines Ax and Bx, but has both transmit and receive privileges on "y" data lines Ay, 
By. LRU 304 uses its transmit and receive privileges on "y" data lines for local 
communication of private messages, broadcasting transmissions to modules and/or 
processing nodes, and receiving data transmissions from other LRUs, modules and/or 
processing nodes. 

20 Additionally or optionally, data communication is extended to another LRU 310 

having, for example, a processor 312 and an I/O module 314. Accordingly, "x" data lines 
Ax and Bx of data communication networks A, B, respectively, on which modules 
300 1 through 3 00 N transmit data, are extended to one or more remotely located LRU 310 
such that data transmitted by any of modules 300 1 through 300 N is available to each LRU 

25 310. Each LRU 3 1 0 is interconnected to receive transmissions on "x" data lines Ax and Bx 
but is restricted from broadcasting transmissions of its own on these data lines. Thus, any 
failure of an LRU 310, either "active/on" or "passive/off," does not affect the ability of 
modules 300 1 through 300 N transmitting and receiving on the affected network, which 
continue uninterrupted service. As described above, each independently configured LRU 

30 310 includes an additional data communication network C, preferably having multiple data 
lines. Each LRU 310 uses dedicated data communication network C for local 
communication. Fault tolerance is provided by having processor 3 12 in each LRU 310 
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revert to a stand-alone operation and continue to operate processes that do not require 
information from modules 3001 through 300n in stand-alone fashion when one or more of 
modules 3001 through 300n fails in an "active/on" mode thus preventing other nodes from 
transferring data on the affected bus line. 
5 Fig. 6 is another illustration of the flexible topology of the present invention. In 

Fig. 6 multiple modules 320 1 through 320 N are configured in a triad of resource enclosures 
322, 324 and 326. Modules 320 1 through 320 N may host multiple application functions that 
also share the backplane bus. The network configuration illustrated in Fig. 4 is duplicated 
in a first enclosure 322, wherein modules 320 1 through 320 N enjoy both transmission and 
1 0 reception privileges on "x" data lines Ax and Bx of data communication networks A, B, 
respectively. Modules 320 1 through 320 N in first enclosure 322 communicates with all 
other modules 320 1 through 320 N over the multiple data lines Ax and Bx of first and 
second data communication networks A, B, respectively, as described in connection with 
Fig. 4. Modules 320 1 through 320 N in first enclosure 322 are connected in a receive-only 
15 mode to the two data lines Ay and By of first and second data communication networks A, 
B, respectively, for receiving data transmissions from other modules 320 1 through 320 N in 
additional resource enclosures, as also described in connection with Fig. 4. One each of 
data communication networks "A" and "B" extends to one of resource enclosures 324 and 
326. For example, data communication network "A," including data lines Ax and Ay, 
20 extends to resource enclosure 324, while data communication network "B," including data 
lines Bx and By extend to resource enclosure 326. 

Modules 320 1 through 320 N in second enclosure 324 are connected in a receive- 
only mode to two data lines: data line Ax of first data communication network "A" and 
data line Cy of a third data communication network "C," for receiving data transmissions 
25 from modules in first and third resource enclosures 322 and 326, respectively. Modules 
320 1 through 320 N in second enclosure 324 are also connected in a receive/transmit mode 
to two data lines: data line Ay of data communication network "A" and data line Cx of 
data communication network "C," for communicating with other modules within second 
enclosure 324 and transmitting data to modules remotely located in first enclosure 322 and 
30 third enclosure 326, respectively. Thus, modules in second enclosure 324 communicates 
with modules in resource enclosure 322 via data communication network "A" and 
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communicates with modules in resource enclosure 326 via data communication network 
"C." 

Modules 320 1 through 320 N in third enclosure 326 are connected in a receive-only 
mode to two data lines: data line Bx of second data communication network "B" and data 
5 line Cx of third data communication network "C," for receiving data transmissions from 
modules in first and second resource enclosures 322 and 324, respectively. Modules 
320 1 through 320 N in third enclosure 326 are also connected in a receive/transmit mode to 
two data lines: data line By of data communication network "B" and data line Cy of data 
communication network "C," for communicating with other modules within third 
1 0 enclosure 326 and transmitting data to modules remotely located in first enclosure 322 and 
second enclosure 324, respectively. 

Thus, the topology of the network backplane bus illustrated in Fig. 4 is extended to 
modules remotely located in at least one additional resource enclosure, third enclosure 326, 
without any change in the interfaces to the data communication networks. Modules in each 
15 resource enclosure 322, 324 and 326 interface with two data communication networks each 
formed of two independent data lines. Modules in each resource enclosure 322, 324 and 
326 have both transmit and receive privileges on one network pair while being restricted to 
receive-only privileges on the other network pair. Preferably, the modules time-share the 
data communication network on which they have transmission privileges in 
20 synchronization with other modules also having transmission privileges on that network, 
but other known carrier sense multiple access/collision avoidance (CSMA/CA) schemes, 
such as Ethernet®, lOBase-T, and 100Base-T, are equally applicable. So far, modules in 
each resource enclosure 322, 324 and 326 interface with the two data communication 
networks as described in Fig. 4. However, the data communication networks are 
25 interconnected to other resource enclosures in a more flexible topology, whereby 

communication between modules in any two resource enclosures continues uninterrupted 
over the interconnecting network in the event one or more modules in any one resource 
enclosure fail in either of an "active/on" mode, preventing communications on the affected 
network, or a "passive/off' mode. 
30 Additionally, communications between all of the modules in all of the enclosures 

continues in the event one data communication network is lost. Loss of a network 
interconnecting modules in any two resource enclosures, for example, network "A" 
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interconnecting resource enclosures 322 and 324 is compensated by the combination of 
network "C" connecting resource enclosure 322 to enclosure 326 and network "B" 
connecting resource enclosure 326 to enclosure 324. Modules in third enclosure 326 route 
the data transmitted from modules in first enclosure 322 to second enclosure 324 and route 

5 the data transmitted from modules in second enclosure 324 to first enclosure 322. Thus, the 
backplane bus of the invention can be extended to provide as much as triple redundancy of 
one or more flight critical processing functions or can be used to isolate enhanced 
functions from one another or from flight critical functions. 

As with the network topology illustrated in Figs. 4A and 4B, the flexible topology 

10 of Fig. 6 can be further extended to additional modules in additional resource enclosures as 
indicated by arrows on sub-busses Ax, Ay, Bx, By, Cx and Cy. 

Federated Topology 

In a federated topology system individual data communication networks are 

1 5 dedicated for local communication within each resource enclosure while one or more data 
communication networks are time-shared by all the resource enclosures. Federated 
topology uses the same data communication networks as those used by the above network 
topology and the same processor-to-network interfaces. Only the routing of the network is 
different. Fault tolerance is provided by having the processing node or nodes in each 

20 enclosure revert to a stand-alone configuration, wherein the processing node or nodes in 
each unaffected enclosure continue to operate in stand-alone fashion when a node or nodes 
in an affected enclosure fail in an "active/on" mode thus preventing other nodes from 
transferring data on the affected bus line. Given an "active/on" failure, the federated 
topology backplane bus architecture provides continued functionality of processes that do 

25 not require interaction and information exchange between independent LRUs. 

Nodes in unaffected enclosures continue to operate in federated fashion when a 
node or nodes in an affected enclosure fail in a "passive/off mode thus leaving the bus 
line available for other nodes in unaffected enclosures to freely transfer data while 
excluding the node or nodes in the affected enclosure. Given a "passive/off failure mode, 

30 the federated topology backplane bus architecture of the invention provides graceful 
degradation through the loss of one or more enhanced functions to a functionality that 
includes continued interaction and information exchange between functional LRUs. 
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Fig. 7A illustrates an example of a federated topology backplane bus architecture 
including two, three or more processing nodes formed as line replaceable units or LRUs 
400. Each LRU 400 includes a local data communication network, preferably having two 
or more local data lines 402, for private communication. For example, each LRU 400 
5 includes at least a function processor 404 and an I/O module 406 for communicating with 
other aircraft systems. Processor 404 and I/O module 406 communicate via the local data 
communication network. The one or more processing nodes in each LRU 400 are 
interconnected to another data communication network 408 having multiple data lines. 
Each LRU 400 has both receive and transmit privileges on data communication network 
10 408, preferably on a time-shared basis or another known carrier sense multiple 
access/collision avoidance (CSMA/CA) scheme, such as Ethernet®, lOBase-T, and 
100Base-T. Optionally, two or more processing nodes, each having a processor 404 and an 
I/O module 406, are enclosed in a resource enclosure and together form a LRU 400'. 
Alternatively, when any processor 404 is a flight critical function, one or more redundant 
1 5 processor function 404 is provided in a one or more additional LRU 400 N which is 
physically isolated in a suitably protected fashion. 

The federated topology backplane bus architecture represented in Fig. 7A by data 
communication network 408 provides the additional advantage of being easily expandable 
to include one or more additional LRU 400 N . Additional LRU 400 N provides any 
20 processing function, including additional functions and redundant flight critical functions. 
Additional LRU 400 N is either physically isolated in a suitably protected fashion remotely 
from other LRUs 400 or co-located near or in the same enclosure 400' with other LRUs 
400. In either configuration, each additional LRU 400 N includes a dedicated local data 
communication network, preferably having two or more local data lines 402, for private 
25 communication locally within the LRU. Data communication network 408 is extended to 
each additional LRU 400 N and interconnected thereto. Additional LRU 400 N enjoys 
transmit and receive privileges on data communication network 408, preferably in a 
synchronized time-sharing fashion with other connected LRUs 400. 

30 Fig. 7B illustrates one embodiment of the invention using federated topology 

backplane bus architecture and incorporating the microprocessor based systems of the 
aircraft IHAS 10 system, shown in Fig. 1. In Fig. 7B, IHAS 460 system is configured as 
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multiple line replaceable units or LRUs providing processing for applications of any 
criticality level form non-essential to flight critical. Each LRU includes a power supply 
module 464 providing aircraft power to the processing node and an I/O module 466 for 
communication with other aircraft systems. The processing functions of IHAS 460 system 
5 are provided individually in, for example, LRU 462, LRU 464, LRU 466, and LRU 468. 
For example, LRU 462 includes radar processing 470; LRU 462 includes TCAS/ATC 
processing 472; LRU 464 includes GPWS or EGPWS processing 474; while LRU 468 
includes other surveillance functions 476. Radar processing 470 preferably has direct 
access to radar antenna inputs while TCAS/ATC processing 472 has direct access to 
1 0 transponder signals. IHAS system 460 is configured using a fault tolerant federated 
topology backplane bus of the invention that includes multiple sets of independent data 
communication networks. First independent data communication networks 480 is local to 
radar processing LRU 462 for communication within the processing node. As shown, each 
other LRU 464, LRU 466 and LRU 468 include similar independent data communication 
1 5 networks local to the respective LRU for communication within the processing node. 
Second data communication network 482 is accessed in a receive/transmit mode by each 
LRU 462. Each LRU 462 has both transmit and receive privileges on each of two sub- 
busses included in second data communication network 478. 

LRU 462, 464, 466 and 468 and any additional LRU containing additional 
20 processing nodes are optionally co-located in a single resource enclosure or cabinet 484. 
Additionally, according to one preferred embodiment of the present invention, additional 
processing redundancy by providing that one or more flight critical processes are provided 
in at least two redundant sets of processing nodes located in different physically isolated 
enclosures (not shown). When processing nodes are located in two or more different 
25 physically isolated enclosures, fault tolerant data communication bus 482 optionally 

extends between the individual enclosures and is preferably time-shared by the processing 
nodes of each LRU. 

Bus Determinism 

30 As described above, multiple system resources, or processing nodes, have data 

transmission privileges on each local area network (LAN), or data communication 
network, A and B. Hence, the available data transmission bandwidth on each data line, or 
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data line, is allocated between the various processing nodes. According to above 
incorporated co-pending application Serial No. 09/009,463, time allocation, or time 
partitioning, on the individual networks is provided by time-multiplexing on each network. 
Time-multiplexing provides each processing node having transmission privileges on the 

5 network a transmission time slot period having a specified frame length, thus guaranteeing 
maximum bandwidth and network efficiency. Above incorporated co-pending U.S. 
application Serial No. (Attorney Docket No. 543-98-013) provides another alternative bus 
communication protocol for use in an Integrated Hazard Avoidance System of the type 
generally described above. However, the bus communication protocol described herein are 

1 0 provided purely as illustration; the invention is completely independent of bus 
communication protocol and is not intended to be limited in scope to the various 
illustrative protocols described herein. 

Extension To Aircraft System Busses 
1 5 Figs. 4 through 7 illustrate the alternative backplane bus architecture using various 

local area network topologies but applied to restricted processing "domains" rather than the 
aircraft system buses. The invention is equally and similarly applicable to aircraft system 
bus networks having a dual-dual configuration, as described above. According to one 
alternative embodiment of the invention applied to one or more aircraft system busses, 
20 processing nodes are configured according to any of the above network topology, flexible 
topology, federated topology, or a combination thereof. In a preferred embodiment, the 
aircraft system bus is configured of multiple data communication networks, or local area 
networks (LANs), each formed of multiple data lines. Each processing node uses the above 
described interface to transmit on one group of sub-busses, simultaneously broadcasting 
25 data on each of one or more sub-busses, and receives on one or more sub-busses forming 
another network group. Preferably, redundant processing nodes repeated in different 
resource enclosures have transmit/receive privileges different ones of the sub-busses of 
different data communication networks to provide maximum fault protection. 

Fig. 8 illustrates the alternative embodiment of the invention applied to multiple 
30 redundant aircraft system busses. In Fig. 8, an aircraft system 600 includes one or more 
modules or processing functions formed as multiple resource enclosures, or cabinets, 610 
in accordance with the network topology backplane domain bus architecture of the 
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invention; enclosures 620 in accordance with the federated topology backplane domain bus 
architecture of the invention; and enclosures 630 in accordance with the flexible topology 
backplane domain bus architecture of the invention, for example, the triple cabinet 
configuration illustrated in Fig. 6. The modules of each enclosure 610, 620, 630 
5 communicate with modules in others enclosures using the domain data communication 
networks as described above. 

In Fig. 8 the modules of each enclosure 610, 620, 630 are connected for 
communication with other resources on the aircraft system busses via I/O modules 612, 
622 and 632, respectively. Enclosures 610 joined in accordance with network topology 
1 0 preferably follow the protocol described above, wherein each of two I/O modules is 

coupled in a receive-only mode to receive data transmissions on one data line, or data line, 
of one data communication network and is coupled to both transmit and receive on one 
data line of another network. Thus, enclosures 610 configured using a dual-dual 
redundancy scheme for inter-enclosure communication use a similar scheme for 
1 5 communication over the aircraft bus. 

Enclosures 620 1 through 62 0 N joined in accordance with federated topology 
preferably follow the protocol described above, wherein a local network is used 
exclusively for private communication within each line replaceable unit, or LRU, and an 
I/O module couples the LRU in a receive-only mode to both transmit and receive on one 
20 network. Thus, enclosures 620 can stand-alone and continue to communicate with other 
aircraft systems over the aircraft bus. Additionally, domains formed using federated 
topology may use one or more of the aircraft system data communication networks for 
local communication among themselves. According to one alternative embodiment, each 
LRU is also coupled with the aircraft system bus in a receive-only mode, as shown. 
25 Enclosures 630 configured in accordance with one of the above described flexible 

topology schemes, for example, in a three-cabinet scheme, preferably follow the protocol 
described above, wherein one or more processing modules within different resource 
enclosures 630 1 , 630 2 and 630 3 are communicate with modules in each of the other 
enclosures using the dual-dual redundancy scheme for inter-enclosure communication. 
30 Modules 630 1 , 63 0 2 and 630 3 may host multiple application functions that also share the 
backplane bus. 
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One or more I/O module 632 of each enclosure 630 couples the resource to the 
aircraft system bus using a dual-dual redundancy scheme. Preferably, the transmit/receive 
privileges of each I/O module 632 of each resource enclosure 630 interfaces to a different 
network pair and the more restrictive receive-only connections also interface to a different 

5 network pair, as described above. Furthermore, in a preferred embodiment, the 

transmit/receive interfaces and the receive-only interfaces for each of enclosures 630 occur 
on a distributed selection of the aircraft system networks, such that maximum interface 
redundancy is provided, as shown. 

Those of ordinary skill in the art will recognize that the data rate of the domain 

1 0 networks can vary from that of the aircraft system networks without affecting the practice 
of the invention. Furthermore, the alternative backplane bus architecture of the invention 
using local area network domain topologies can be practiced using a one or any 
combination of different ones of the above described topologies. 

1 5 While the preferred embodiment of the invention has been illustrated and 

described, it will be appreciated that various changes can be made therein without 
departing from the spirit and scope of the invention. Furthermore, although the preferred 
embodiment of the invention as disclosed above is particularly suited to aircraft safety and 
warning systems such as the IHAS described above in connection with Fig. 1 , it will be 

20 appreciated that the data bus system of the invention could find application in many data 
processing applications where data integrity and fault tolerance are important. Also, it will 
be apparent that modifications of the particular system described above could be made by 
those who are skilled in the art that would fall within the scope of the invention claimed 
herein. Such modifications could arise from a number of factors including: the 

25 environment in which the data bus system is to be used, the availability and cost of 
hardware and the specific nature of the application. 
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Claims 

1 . A network topology backplane bus architecture comprising: 
a plurality of independent data communication lines; 

a plurality of processing nodes sharing said independent data communication lines 
5 for data communication; 

one of said processing nodes transmitting and receiving on a first subset of said 
data communication lines and receiving on a second subset of said data communication 
lines; and 

another of said processing nodes transmitting and receiving on said second subset 
10 of said data lines and receiving on said first subset of said data lines. 

2. The network topology backplane bus architecture recited in claim 1 , wherein ones 
of said independent data communication lines comprise a first independent data 
communication network and different ones of said independent data communication lines 

5 comprise a second independent data communication network 

3. The network topology backplane bus architecture recited in claim 2, wherein ones 
of said first subset of said data communication lines in combination with ones of said 
second subset of said data communication lines comprise one of said first and second 

20 independent data communication networks; and 

different ones of said first subset of said data communication lines in combination 
with different ones of said second subset of said data communication lines comprise a 
different one of said first and second independent data communication networks 

25 4. The network topology backplane bus architecture recited in claim 1 , wherein said 
one of said processing nodes transmitting and receiving on a first subset of said data 
communication lines utilizes said first subset of said data communication lines for local 
communication within said processing node. 

30 5. The network topology backplane bus architecture recited in claim 4, wherein said 
one of said processing nodes transmitting and receiving on a first subset of said data 



s:\law_fiIe\dockets\Utility App - Topolgy 23 



Patent Application 
Attorney Docket No.. 543-98-015 



communication lines further utilizes said first subset of said data communication lines for 
broadcasting transmissions to another of said processing nodes. 

6. The network topology backplane bus architecture recited in claim 4, wherein said 
5 one of said processing nodes transmitting and receiving on a first subset of said data 

communication lines further utilizes said first subset of said data communication lines for 
receiving data transmissions from another of said processing nodes. 

7. The network topology backplane bus architecture recited in claim 4, wherein said 
1 0 one of said processing nodes transmitting and receiving on a first subset of said data 

communication lines is one of a plurality of said processing nodes transmitting and 
receiving on said first subset of said data communication lines. 

8. The network topology backplane bus architecture recited in claim 7, wherein each 
1 5 of plurality of processing nodes transmitting and receiving on said first subset of said data 

communication lines are co-located in a first resource enclosure. 

9. The network topology backplane bus architecture recited in claim 7, wherein each 
of plurality of processing nodes transmitting and receiving on said first subset of said data 

20 communication lines time-shares said data communication lines with others of said 
plurality of processing nodes transmitting and receiving on said first subset of said data 
communication lines. 

10. The network topology backplane bus architecture recited in claim 9, wherein each 
25 of plurality of processing nodes transmitting and receiving on said first subset of said data 

communication lines time-shares said data communication lines in synchronization with 
others of said plurality of processing nodes transmitting and receiving on said first subset 
of said data communication lines. 

30 11. The network topology backplane bus architecture recited in claim 5, wherein said 
processing node transmitting and receiving on said second subset of said data lines and 
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receiving on said first subset of said data lines utilizes said second subset of said data 
communication lines for local communication within said processing node. 

12. The network topology backplane bus architecture recited in claim 1 1 , wherein said 
processing node transmitting and receiving on said second subset of said data 
communication lines further utilizes said second subset of said data communication lines 
for broadcasting transmissions to another of said processing nodes. 

13. The network topology backplane bus architecture recited in claim 12, wherein ones 
of said processing nodes supports different ones of flight critical functions. 

14. The network topology backplane bus architecture recited in claim 13, wherein one 
or more of said processing nodes supporting one of said flight critical functions is 
duplicated in one or more additional ones of said processing nodes. 

1 5. The network topology backplane bus architecture recited in claim 14, wherein one 
of said processing nodes supporting said one of said flight critical functions is located in a 
first resource enclosure; and 

at least one of said additional processing nodes supporting said one of said flight 
critical functions is located in a physically isolated second resource enclosure. 

16. A network topology backplane bus architecture comprising: 

a plurality of processing nodes transmitting and receiving data communications; 

a plurality of independent data communication networks formed of a plurality of 
independent data communication lines, a subset of said data communication networks 
extending between ones of said plurality of processing nodes; 

a first subset of ones of said data communication lines allocated to a first of said 
processing nodes for transmitting and receiving data communications, said first subset of 
said data communication lines further allocated to a second of said processing nodes for 
receiving data communications; 

a second subset of ones of said data communication lines allocated to said second 
processing nodes for transmitting and receiving data communications, said second subset 

s:\law_file\dockets\Utility App - Topolgy 25 



Patent Application 
Attorney docket No.: 543-98-015 



of said data communication lines further allocated to said first processing nodes for 
receiving data communications. 

17. The network topology backplane bus architecture recited in claim 16, wherein each 
5 of said plurality of processing nodes supports one or more processing functions. 

18. The network topology backplane bus architecture recited in claim 1 7, wherein said 
first subset of said data communication lines comprises ones of said plurality of 
independent data communication lines forming each two or more of said plurality of 

1 0 independent data communication networks; and 

said second subset of said data communication lines comprises different ones of 
said plurality of independent data communication lines forming each two or more of said 
plurality of independent data communication networks. 

15 19. The network topology backplane bus architecture recited in claim 17, wherein said 

subset of said data communication networks extending between ones of said plurality of 

processing nodes comprises: 

said first subset of ones of said data communication lines allocated to said first 

processing node for transmitting and receiving data communications; and 
20 said second subset of ones of said data communication lines allocated to said 

second processing node for transmitting and receiving data communications. 

20. The network topology backplane bus architecture recited in claim 1 9, wherein said 
first processing node is one of a plurality of first processing nodes each transmitting and 

25 receiving on said first subset of data communication lines; and 

said second processing node is one of a plurality of second processing nodes each 
transmitting and receiving on said second subset of data communication lines. 

21 . The network topology backplane bus architecture recited in claim 20, wherein each 
30 of said plurality of first processing nodes are co-located in a first resource enclosure. 
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22. The network topology backplane bus architecture recited in claim 20, wherein each 
of said plurality of first processing nodes time-shares said data communication lines with 
others of said plurality of first processing nodes. 

5 23 . The network topology backplane bus architecture recited in claim 20, wherein one 
or more of said processing nodes supporting one of said processing functions is duplicated 
in one or more additional ones of said processing nodes. 

24. The network topology backplane bus architecture recited in claim 23, wherein a 
1 0 first one of said processing nodes supporting said one of said processing functions is 

located in a first resource enclosure; and 

at least one of said additional processing nodes supporting said one of said 
processing functions is physically isolated from said first one of said processing nodes in a 
second resource enclosure. 

15 

25. The network topology backplane bus architecture recited in claim 17, wherein said 
first subset of data communication lines allocated to a first of said processing nodes for 
transmitting and receiving data communications and said second subset of data 
communication lines allocated to said second processing node for transmitting and 

20 receiving data communications comprises a first of said data communication networks, 
said first data communication networks extending between ones of said plurality of 
processing nodes; 

additional different ones of said plurality of independent data communication lines 
comprise a second of said data communication networks allocated to said first processing 
25 nodes for transmitting and receiving data communications among said first processing 
nodes; and 

additional different ones of said plurality of independent data communication lines 
comprise a second of said data communication networks allocated to said second 
processing nodes for transmitting and receiving data communications among said second 
30 processing nodes. 
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26. The network topology backplane bus architecture recited in claim 25, wherein said 
first processing nodes comprise a single processing node supporting a first processing 
function; and 

said second processing nodes comprise a single processing node supporting a 
5 second processing function. 

27. The network topology backplane bus architecture recited in claim 26, wherein said 
first and second processing nodes are co-located in a single resource enclosure. 

10 28. The network topology backplane bus architecture recited in claim 26, wherein said 
first and second processing nodes are located in respective first and second physically 
isolated resource enclosures. 

29. The network topology backplane bus architecture recited in claim 26, wherein said 
1 5 first processing function and said second processing functions are essentially identical 

processing functions. 

30. A method of sharing independent data communication lines for fault tolerant data 
communication among a plurality of processing nodes, the method comprising: 

20 permitting to first processing nodes both transmitting and receiving privileges on a 

first subset of data communication lines and permitting receiving privileges to second 
processing nodes on said first subset of data communication lines; 

permitting to the second processing nodes both transmitting and receiving 
privileges on said second subset of data communication lines and permitting receiving 

25 privileges to the first processing nodes on said second subset of data communication lines. 

31. The method recited in claim 30, further comprising extending said first and second 
subsets of data communication lines between the first and second processing nodes. 

30 32. The method recited in claim 3 1 , further comprising isolating ones of said first 
subset of data communication lines and ones of said second subset of data communication 
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lines from other different ones of said first and second subsets of data communication 
lines. 

33. The method recited in claim 30, wherein said first and second subsets of data 

5 communication lines comprise a single subset of inter-nodal data communication lines; 
and further comprising: 

permitting both the first and second processing nodes to both transmit and receive 
on said inter-nodal data communication lines; 

permitting the first processing nodes to both transmit and receive on a first 
1 0 additional subset of data communication lines; and 

permitting the second processing nodes to both transmit and receive on a second 
additional subset of data communication lines. 

34. A method of sharing independent data communication lines for fault tolerant data 
1 5 communication among a plurality of processing nodes, the method comprising: 

permitting first processing nodes to both transmit and receive on a first subset of 
data communication lines and permitting the first processing nodes to receive on a second 
subset of data communication lines; 

permitting second processing nodes to both transmit and receive on said second 
20 subset of data communication lines and permitting the second processing nodes to receive 
on said first subset of data communication lines. 
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ABSTRACT OF THE DISCLOSURE 

The present invention provides a fault tolerant bus architecture and protocol for use 
in an Integrated Hazard Avoidance System of the type generally used in avionics 
applications. In addition, the present invention may also be used in applications, aviation 
and otherwise, wherein data is to be handled with a high degree of integrity and in a fault 
tolerant manner. Such applications may include for example, the banking industry or other 
safety critical processing functions, including but not limited to environmental control. 



s:\law_file\dockets\Utility App - Topolgy 30 



1/11 



DIRECTIONAL 

ANTENNA 



12-^ 



-14 



18-, 



10- 



24-x 
22- 



H I I 

I TCAS H-H 

I I I 



I I 



COMPUTER 



I 

I/O h 



DIRECTIONAL 
ANTENNA 



-16 



30^. 



COCKPIT 
DISPLAYS 



ANTENNA 







RADAR 



FLIGHT 
DATA 



2/11 



-100 



132- 



110^ 



CLOCK 



TABLE 
MEMORY 



| NODE-ID 
\^-U4 144 



PROCESSOR 



IE 



-102 



i£ 



MEMORY 



I ,-104 



r 108 





EXCHANGE 




BIC-X 




BIC-Y 


HANDSHAKE 
ENABLE 



CLOCK 



I TABLE \p 

\ MEMORY 



NODE-ID j 




3/11 



s 




1 

lis? 
:3 



9 








i 
















BIl 

cm 




1 













7 



4/11 



_v_- v 




l_ 



-r- 



5/11 




6/11 




7/11 




8/11 




9/11 




10/11 




11/11 




Attorney's Docket No.: 543-9 

DECLARATION FOR PATENT APPLICATION 
SOLE OR JOINT 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name. 

I believe I am an original, first and joint inventor of the subject matter which is claimed and for which a patent is sought on the invention titled: 

FAULT TOLERANT DATA COMMUNICATION NETWORK 
the specification of which is attached hereto. 

HEREBY STATE THAT I HAVE REVIEWED AND UNDERSTAND THE CONTENTS OF THE ABOVE-IDENTIFIED SPECIFICATION, 
INCLUDING THE CLAIMS. 

I ACKNOWLEDGE THE DUTY TO DISCLOSE INFORMATION WHICH IS MATERIAL TO THE EXAMINATION OF THIS 
APPLICATION IN ACCORDANCE WITH TITLE 37, CODE OF FEDERAL REGULATIONS, § 1.56(a). 

I hereby claim foreign priority benefits under Title 35, United States Code, § 1 19 of any foreign application(s) for patent or inventor's certificate 
listed below and have also identified below any foreign application for patent or inventor's certificate having a filing date before that of the 
application on which priority is claimed: 
Prior Foreign Application(s) 



(Day/Month/Year Filed) 



(Day/Month/Year Filed) 



B B 

Yes No 

B B 



I hereby claim the benefit under Title 35, United States Code, § 120 of any United States applications listed below and, INSOFAR AS THE 
SUBJECT MATTER OF EACH OF THE CLAIMS OF THIS APPLICATION IS NOT DISCLOSED IN THE PRIOR UNITED STATES 
APPLICATION IN THE MANNER PROVIDED BY THE FIRST PARAGRAPH OF TITLE 35, UNITED STATES CODE, §1 12, 1 
ACKNOWLEDGE THE DUTY TO DISCLOSE MATERIAL INFORMATION AS DEFINED IN TITLE 37, CODE OF FEDERAL 
REGULATIONS, § 1.56(a) WHICH OCCURRED BETWEEN THE FILING DATE OF THE PRIOR APPLICATION AND THE NATIONAL 
OR PCT INTERNATIONAL FILING DATE OF THIS APPLICATION: 

60/113,787 12/22/98 Pending 

(Application Serial Number) (Filing Date) (STATUS: Patented, Pending, Abandoned) 



(Application Serial Number) (Filing Date) (STATUS: Patented, Pending, Abandoned) 

POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or agent(s) to prosecute this application and 
transact all business in the Patent and Trademark Office connected herewith (List name and registration number). 

(LIST SENIOR PATENT COUNSEL AND ATTORNEY HANDLING CASE WITH PATENT OFFICE REGISTRATION NUMBERS.) 



Jeanne C. Suchodolski 


Loria Yeadon 


Robert Desmond 


Name 






34,936 


35,063 


38,430 


Registration Number 


Registration Number 


Registration Number 


John Donofrio 


Larry Palguta 










32,339 


29,575 




Registration Number 


Registration Number 


Registration Number 



SEND CORRESPONDENCE TO: Jeanne C. Suchodolski 

AlliedSignal, Inc. 

P.O. Box 2245, 101 Columbia Road 
Morristown, New Jersey 07962 

DIRECT TELEPHONE CALLS TO: Jeanne C. Suchodolski (425) 885-8509 
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DECLARATION FOR PATENT APPLICATION— SOLE OR JOINT (Continued) Attorney's Docket No.: 543-98-015 Page 2 of 2 

I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief 
are believed to be true; and further that these statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code, and that such willful false statements may 
jeopardize the validity of the application or any patent issuing thereon. 



FULL NAME OF SOLE OR FIRST INVENTOR 



RESIDENCE 




INVENTOR'S SIGNATURE ^ 

23527 NE 22nd Sft^Redmondf^A 98053-4415 



CITIZENSHIP — BS- MfckV>g<U>Wg(s < ~¥~ 
POST OFFICE ADDRESS - Nelliei lands ■Sa^ ' 



FULL NAME OF SECOND JOINT INVENTOR Michael To£i% 

INVENTOR'S SIGNATURE MujLJ^ \j — Date 30 A>0 V 99 

RESIDENCE 9301 Avondale Road NE Apt U-21 15, Redmond, WA 98052 

CITIZENSHIP Canada . . 

POST OFFICE ADDRESS Same 

FULL NAME OF THIRD JOINT INVENTOR 

INVENTOR'S SIGNATURE 

RESIDENCE 

CITIZENSHIP 

POST OFFICE ADDRESS 

FULL NAME OF FOURTH JOINT INVENTOR 

INVENTOR'S SIGNATURE 

RESIDENCE 

CITIZENSHIP 

POST OFFICE ADDRESS 



POST OFFICE ADDRESS 
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